On Tue, Mar 18, 2008 at 1:58 PM, Michael Sierchio <[EMAIL PROTECTED]> wrote: > David Schwartz wrote: > > Michael Sierchio: > > > >> If it's your policy not to reuse keys, or allow their use beyond > >> the lifespan of the certificate, then the enforcement mechanism > >> for this MUST be in the CA. > > > > I completely disagree. If this were true, CA's would generate the private > key as part of the certificate issuing process. > > That doesn't follow. In any case, the only place where certificate issuing > policy can be enforced is the RA and/or CA. The rest of your argument is > just as specious, and I could make a career out of correcting your errors, > but you're determined not to learn. > > - M
First: don't degenerate into personal 'ethos' attacks. Second: there's a difference between 'certificate issuing policy' and 'key usage policy'. Certificate issuance is a statement of identity binding for a given key at a given assurance. No more, no less. Key Usage is a statement of "how long a key may be appropriately used for what it's being used for". No more, no less. A CA does not and cannot specify the value of the data which can be encrypted or protected by any given key. It specifies things that third parties can know and rely on. Only the principal itself can know what it's actually going to use the key for. Remember, the CA (and X.509 certificate chains) are only a relatively efficient means of transferring trust via policy. It is NOT the only way to transfer trust. (remember that trust anchors can be arbitrarily created, trusted, untrusted, removed, whathaveyou by anyone who creates a policy -- that is, anyone who owns or controls a computer system.) Please remember that there are uses for keys outside the PKI. This is why private key storage formats should have a timestamp-of-generation, even if you can't see any use for such a field inside the PKI -- and even though I can. -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
